Bad Rabbit – Ransomware

A new ransomware attack ‘Bad Rabbit’ is spreading online, months after the arrival of WannaCry and ExPetr.

The malicious software has mostly hit Russia so far, though attacks have also been reported in Germany, Ukraine and Turkey.

Kiev’s underground Metro, Ukraine’s Odessa International Airport and Russian websites Interfax and Fontanka are among those who have been affected so far.

Like WannaCry, the virus encrypts documents on a computer and demands payment to unlock them again. The current ransom being charged is 0.05 Bitcoin, which equates to £220.

Cyber security firm Kaspersky Lab says it is investigating the attacks, and claims that the malware is being accidentally downloaded by victims via a fake Adobe Flash install file.

“Based on our investigation, this is a targeted attack against corporate networks, using methods similar to those used in the ExPetr attack,” writes Kaspersky Labs’ Alex Perekalin. “However, we cannot confirm it is related to ExPetr. We continue our investigation.”

The infection process starts with a fake Adobe Flash installer that is downloaded from compromised websites. This fake Flash installer holds the actual ransomware payload in a ZLIB-packed overlay. Once decrypted, it drops and executes the actual ransomware (identified as b14d8faf7f0cbcfad051cefe5f39645f).

The ransomware payload mentioned above holds no less than six different tools as ZLIB-compressed resources that are used for encryption purposes, as well as for spreading laterally. These tools are:

The encryptor component (identified as 5b929abed1ab5406d1e55fea1b344dab)
The bootloader (identified as b14d8faf7f0cbcfad051cefe5f39645f)Mimikatz – an utility to extract passwords and authentication tickets from memory

A Mimikatz binary compiled for x86 (identified as 37945c44a897aa42a66adcab68f560e0)

A Mimikatz binary compiled for x64 (identified as 347ac3b6b791054de3e5720a7144a977)

A DiskCryptor driver compiled for x86 (identified as b4e6d97dafd9224ed9a547d52c26ce02)

A DiskCryptor driver compiled for x64 (identified as edb72f4a46c39452d1a5414f7d26454a)

What we know so far

Bad Rabbit is extremely similar with GoldenEye / NotPetya both structurally and as broader focus. It targets Ukrainean critical infrastructure and is highly viral due to its implementation of Mimikatz which lets it move from one infected workstation to another across an organization. It also features disk encryption via the DiskCryptor driver so it can interfere with the normal boot process and prevent the computer from starting up.

Game of Thrones characters referenced in the sample.

Last, but not least, while the ransomware component references Game of Thrones characters, it also has a process hashing routine extremely similar to what GoldenEye used to verify what security solutions were installed locally prior to encrypting the MBR.

If you are running a Bitdefender antimalware product for either home or business, you don’t need to worry, as our solutions detect this threat as Gen:Heur.Ransom.BadRabbit.1and Gen:Variant.Ransom.BadRabbit.1.

Related Posts

In the following, I will do an analysis of the Windows operating system (OS) from the point of view of communication with Bluetooth Low Energy devices – in our case with different types of SensorTags: Read more…

Abstract : Now days due to advancement of technology it is difficult to protect creative content and intellectual property. It is very easy to copy and modify digital media resulting in great loss in business. So Read more…